The present invention relates to data center infrastructure, and more particularly, this invention relates to providing deep packet inspection services to virtual overlay network traffic in a data center.
Virtual Overlay Networks, such as virtual extensible local area network (VXLAN), distributed overlay virtualization Ethernet (DOVE), and others, use protocol headers that are encapsulated in packets on top of the original network packet to create location transparency. Due to the additional encapsulation protocol headers, it is not possible for existing or legacy Inter-Networking Elements (INEs), such as physical infrastructure routers and switches, among others, to determine information from within the original packet. This is because the original packet inside of the overlay protocol headers is encapsulated as a traditional data payload to the legacy INEs. Furthermore, this lack of visibility of the original packet prevents INEs from implementing sophisticated network security and services.
Protocols like VXLAN use User Datagram Protocol/Internet Protocol (UDP/IP) to encapsulate the original Ethernet packet for transmission over physical networks. The original Ethernet packets are tunneled through the network from an originator to a nearest VXLAN gateway. VXLAN gateways connect virtual networks to non-virtual networks (legacy networks having physical components). Since VXLAN gateways understand (are capable of processing) VXLAN protocol and tunnels, they have the capability to identify the encapsulated packets.
Furthermore, virtual machines (VMs) in an overlay network, such as a VXLAN or DOVE network, that belong to a common tenant (e.g., a single user of the network resources, such as a company, agency, individual, etc.) may be sorted into groups (such as virtual networks having different virtual network identifiers (VNIDs) in VXLAN, domains having different domain identifiers or DOVE Virtual Groups (DVG) in DOVE) such that security policy rules may be applied governing communications between VMs which belong to different groups. A typical method to apply security policy is to use physical security appliances that are accessible on the network and which have the ability to apply specific security services.
Therefore, in order to apply security services to overlay network traffic, the traffic must be routed to the physical security appliances. However, the intermediate network devices, such as switches, routers, etc., do not have visibility inside of the overlay traffic, and therefore do not understand that some traffic should be routed to the physical security appliances while other traffic should be routed directly to its designated destination address.
Therefore, a method and network architecture which allowed for proper overlay traffic that needs security services applied to be routed to the physical security appliances while directly routing other traffic between the source and destination VMs would be very beneficial.